From 931d31a2cb78a1043198666c312ecaa3af94a2a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 16:28:44 +0200 Subject: [PATCH] deps: V8: cherry-pick 412ac52d8246 Original commit message: [bigint] Fix possibly-uninitialized leading digit on right shift (cherry picked from commit e82a3b4d47a93ab64f07d8c03e3cd17b6b961c3f) (cherry picked from commit 1162c460dee4218abd798b51b88926aef5c8bd61) No-Try: true No-Presubmit: true No-Tree-Checks: true Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561618 Auto-Submit: Jakob Kummerow Commit-Queue: Georg Neis Reviewed-by: Georg Neis Cr-Original-Original-Commit-Position: refs/heads/master@{#71422} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565245 Reviewed-by: Jakob Kummerow Cr-Original-Commit-Position: refs/branch-heads/8.7@{#57} Cr-Original-Branched-From: 0d81cd72688512abcbe1601015baee390c484a6a-refs/heads/8.7.220@{#1} Cr-Original-Branched-From: 942c2ef85caef00fcf02517d049f05e9a3d4b440-refs/heads/master@{#70196} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2624611 Commit-Queue: Victor-Gabriel Savu Cr-Commit-Position: refs/branch-heads/8.6@{#54} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: https://github.com/v8/v8/commit/412ac52d82466fc6a097bb398d799f9a708beadf PR-URL: https://github.com/nodejs/node/pull/38275 Reviewed-By: Matteo Collina Reviewed-By: Jiawen Geng Reviewed-By: Shelley Vohr --- common.gypi | 2 +- deps/v8/src/objects/bigint.cc | 2 ++ deps/v8/test/mjsunit/regress/regress-crbug-1151890.js | 11 +++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-1151890.js diff --git a/common.gypi b/common.gypi index b706dc925dc522..45850e0f8de97e 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.39', + 'v8_embedder_string': '-node.40', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/objects/bigint.cc b/deps/v8/src/objects/bigint.cc index dfc302e77c8945..3a9e169757526d 100644 --- a/deps/v8/src/objects/bigint.cc +++ b/deps/v8/src/objects/bigint.cc @@ -1862,6 +1862,8 @@ Handle MutableBigInt::RightShiftByAbsolute(Isolate* isolate, DCHECK_LE(result_length, length); Handle result = New(isolate, result_length).ToHandleChecked(); if (bits_shift == 0) { + // Zero out any overflow digit (see "rounding_can_overflow" above). + result->set_digit(result_length - 1, 0); for (int i = digit_shift; i < length; i++) { result->set_digit(i - digit_shift, x->digit(i)); } diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1151890.js b/deps/v8/test/mjsunit/regress/regress-crbug-1151890.js new file mode 100644 index 00000000000000..70a3d6bbf06500 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-1151890.js @@ -0,0 +1,11 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +for (let i = 0, j = 0; i < 10; ++i) { + let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n); + assertEquals(-0x10000000000000000n, x); + %SimulateNewspaceFull(); +}